terraform-provider-google icon indicating copy to clipboard operation
terraform-provider-google copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Replace of google_cloud_run_v2_service breaks authorization setting

Open johanblumenberg opened this issue 7 months ago • 17 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to a user, that user is claiming responsibility for the issue.
  • Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.9.2 on Mac M1, Linux x86_64

  • provider registry.terraform.io/hashicorp/google v5.38.0

Affected Resource(s)

google_cloud_run_v2_service, google_cloud_run_service

Terraform Configuration

variable "project" {
  type = string
}

data "google_iam_policy" "cloud-run-noauth" {
  binding {
    role = "roles/run.invoker"
    members = [
      "allUsers",
    ]
  }
}

resource "google_cloud_run_v2_service" "my-service" {
  project  = var.project
  name     = "my-service"
  location = "us-central1"

  template {
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
}

resource "google_cloud_run_service_iam_policy" "my-service-noauth" {
  location    = google_cloud_run_v2_service.my-service.location
  project     = google_cloud_run_v2_service.my-service.project
  service     = google_cloud_run_v2_service.my-service.name
  policy_data = data.google_iam_policy.cloud-run-noauth.policy_data
}

Debug Output

No response

Expected Behavior

Step 1: Initial apply, nothing strange here. Step 2: This should replace the resource google_cloud_run_v2_service.my-service Step 3: This should report that everything is up to date.

Actual Behavior

Step 2: The cloud run service is not accessible. Looking in GCP Cloud Console, it is changed from "Allow unauthenticated invocations" to "Require authentication" under the Security tab. Step 3: Reports that the google_cloud_run_service_iam_policy resource must be created. Once it is created, the cloud run service is accessible again.

When repeating step 2 and 3 a few times, the access problem appears maybe 50% of the times. But the problem that step 3 doesn't report that everything is up to date happens 100% of the time.

This bug happens both in google_cloud_run_service and google_cloud_run_v2_service.

It was working using the google provider version 4.83.0.

Steps to reproduce

  1. terraform apply
  2. terraform apply -replace google_cloud_run_v2_service.my-service
  3. terraform apply

Important Factoids

No response

References

No response

b/359335569

johanblumenberg avatar Jul 24 '24 15:07 johanblumenberg